Running Nessus

Before you can connect to the server, you must first add a Nessus user, using
the nessus-adduser command.

Now, run nessus to launch the Nessus client and login as the
user you just created. Next, take a look at the different plugins you can
select from the Plugins tab.

Figure 1. Selecting Nessus plugins.

The Enable all but dangerous plugins button will disable plugins
that are known to crash the remote services being scanned. Also take a look at
the scans listed under the Denial of Service category. It is a good
idea to disable these checks when scanning hosts that provide critical
services.

Use the Filter button to search for specific plugin scripts. For
example, it is possible to search for vulnerability checks that have a certain
word in their description or by the CVE name of a specific
vulnerability. It is up to the author of each specific vulnerability check to
make sure he provides all appropriate information and places his script under
the proper category. As you will note by looking at the descriptions of some of
the vulnerability checks, some authors do not do a good job of filling in this
information, so be careful.

Figure 2. Nessus preferences.

Next, click on the Preferences tab. Under this section, you can set various
options that will affect the way Nessus will perform its scans. Most of the
options are self-explanatory. One important preference is that of Nmap options.
Nmap is one of the best port-scanners available today, and Nessus can use it to
port scan target hosts (make sure to select Nmap in the Scan Options tab). The
connection() technique completes the 3-way TCP handshake in order to identify
open ports. This means that services running on the remote host will likely log
your connection attempts. The SYN scan does not complete the TCP handshake. It
merely sends a TCP packet with the SYN flag set and waits for a response.
Receiving a RST packet in response indicates that the host is alive and the
port is closed. Receiving a TCP packet with the SYN+ACK flags set that the
target is listening on the port. Since this method does not complete the TCP
handshake, it is usually stealthier, so services that listen on that port will
not detect it. An IDS may detect this. See the nmap man page for more information on other Nmap scanning options and techniques.

Figure 3. Nessus scan options.

The Scan options tab allows you to specify the port range that you want
Nessus to port-scan. TCP and UDP ports range from 1 to 65535. Use
default for the port range to scan the ports listed in the
nessus-services text file. Although Nessus is smart enough to
recognize services running on non-standard ports, it will not target ports that
it does not know are open. So make sure you configure your port ranges
appropriately. The Safe checks option will cause Nessus to rely on
version information from network service banners to determine if they are
vulnerable. This may cause false positives, but it may be useful to scan hosts
whose uptime is critical. The Port scanner section in this tab allows
you to select the type of port scan you want Nessus to perform. If most of your
hosts are behind firewalls or do not respond to ICMP echo requests, you might
want to disable the Ping the remote host option.

In the Target Selection tab, enter the IP addresses of hosts you want to
scan. Enter more than one IP address by separating each with a comma. You can
also enter a range of IP addresses using a hyphen, for example,
192.168.1.1-10. Tell Nessus to read target host IPs from a text
file by choosing the Read file... button. Once you are done entering
the target IP addresses, and are sure that you are ready to go, click on the
Start the scan button to have Nessus begin scanning.

Figure 4. A Nessus report.

When Nessus finishes its scan, it will present you with a report. You can
save it in a variety of formats: HTML (with or without graphics), XML, LaTeX,
ASCII, and NBE (Nessus BackEnd). The items with a light bulb next to them are
mere notes or tips that provide information about a service or suggest best
practices to help you better secure your hosts. The items with an exclamation
next to them are findings that suggest a security warning when a mild flaw is
detected. Items that have the no-entry symbol next to them suggest a severe
security hole. In case you are wondering, the authors of the individual scripts
used by the Nessus plugins decide how to categorize the findings.

Conclusion

Although Nessus is a great tool to perform automated vulnerability scanning,
its results can and often do provide false positives. To see how a particular
vulnerability scan works, take a look at its corresponding .nasl
script file located in /usr/local/lib/nessus/plugins. Part 2 of
this article will cover NASL and that will help you better understand how these
work, and this will allow you to manually ensure if a finding is a false
positive or not. It is highly recommended that you do not solely rely on
automated vulnerability scanning tools, but also perform manual attack and
penetration reviews for a better understanding of your organization's network
security posture.

Nitesh Dhanjani
is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.